NARUC, NASEO team up to tackle distributed solar cyber risks as vulnerabilities grow

Dive Brief:

A new partnership between the National Association of State Energy Officials (NASEO) and the National Association of Regulatory Utility Commissioners (NARUC) aims to jump-start a conversation about cybersecurity best practices in distributed solar.
Distributed solar is not subject to the same level of regulation as utilities, despite the sector's growing importance to electric infrastructure.
The partnership was welcomed by solar industry leaders, who say growing solar connectivity necessitates a conversation about cybersecurity risks.

Dive Insight:

The popularity of solar energy means the industry needs digital solutions for maintenance and upgrades, but those same solutions open a host of concerns about cybersecurity that are new to the industry, according to Tobias Whitney, who oversees Energy Security Solutions at Fortress Information Security.

Whitney said modern solar installations increasingly feature two-way communication that enables remote administrators to maintain or make adjustments to distributed systems in a much more efficient manner than if they had to update those systems manually. These communications are handled by increasingly large aggregators that, if compromised, have the potential to bring down enough rooftop, community and private industrial solar to have a significant impact on the grid, he said.

"Now is the time to address cybersecurity," Whitney said, "realizing that if we don't design security correctly now, this could result in some more significant risks in the near future."

One of the primary threats to solar cybersecurity, Whitney said, is that most of the intermediary companies that operate these distributed resources remotely aren't subject to the same level of regulatory scrutiny as a utility. These companies may often use tools such as cloud computing and may work with third-party vendors, opening them to risks not present in the utility sector, where these technologies are less common. "There needs to be some oversight and development of standards for the operations of these systems," Whitney said.

The new NASEO-NARUC partnership, with funding from the U.S. Department of Energy, hopes to fill that gap. In a June 18 press release, NARUC indicated that the growth of two-way communication in distributed solar has created a need for state-level decision makers to evaluate the potential security implications of this new technology.

"We've paid less attention to distributed generation, and even the internet of things end use products, over the last several years, and we felt it was important to bring some attention to this area," said NASEO Executive Director David Terry.

It's not just that new technology has increased the potential for cyber attacks on rooftop, community or private industrial solar installations, Terry said. The rapid adoption of distributed solar in states such as California means that these energy resources are increasingly important to community welfare. Florida, for example, has outfitted dozens of schools with solar and backup energy storage so they can be used as emergency shelters during disasters, he said.

"Solar can be and is an important resilience element," he said. But cybersecurity, he added, means being aware that there are sophisticated bad actors who may want to compromise the grid. "Our grid is becoming more integrated, and that presents certain vulnerabilities."

Leaders in the solar industry also see and support the need for more uniform security standards, according to John Smirnow, vice president of market strategy at the Solar Energy Industries Association. "As an industry, we feel very strongly about cybersecurity," he said. "Our goal is to become the most secure energy resource on the grid, so as we ... want to move toward uniformity and standardization."